Windows 24H2 and 3rd Party SMB Shares
Posted by lweinmunson@reddit | sysadmin | View on Reddit | 10 comments
We installed 24H2 on a few test machines and found that they wouldn't connect to our NetApp CIFS shares anymore. Lots of threads on the internet trying to enable guest access or turn off SMB signing to try to get around it. What we found was that our NetApp SVM didn't have the AES encryption turned on for Kerberos. So it would fail on authentication waiting to negotiate a cipher suite that was installed on both ends. If you have a similar situation, check that you have AES-128 and AES-256 enabled for Kerberos and see if that helps. I'm setting up a new Samba server and I'll see if it has the same authentication issues as the NetApp did by default.
_BoNgRiPPeR_420@reddit
Microsoft made a ton of changes to SMB in Server 2025 and Windows 11 24H2. Signing required, QUIC support, as well as dialect management (e.g. 2.0, 3.0) are just a few of them. You would be wise to test as much as possible before pushing it out in any company, which it sounds like you're already doing.
As far as the NetApp goes, enabling AES-256 isn't a bad thing, so there is some positive to this.
https://www.reddit.com/r/Windows11/s/YYKmuB47jo
the_it_mojo@reddit
QUIC is also on Server 2022. By default, Windows 11 24H2 clients will realise this and start attempting QUIC transmission all day long even if QUIC traffic is being dropped by the firewall, as I recently discovered. Gotta love UDP.
_BoNgRiPPeR_420@reddit
I think you can only get it in 2022 on Azure, not on-prem.
https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-over-quic?tabs=windows-admin-center%2Cwindows-admin-center1
disclosure5@reddit
It scares me that I hear these things from Netapp users, knowing they are likely the larger sort of enterprises.
lweinmunson@reddit (OP)
When I saw them recommending that as a work around, I just said "No, we're not doing that. We need to fix the problem, not create more."
extremetempz@reddit
by default on newer firmwares it does aes128 and 256 on older ntap versions it did rc4 by default, with the option to enable it (I could be wrong)
I deprecated rc4 across active directory, netapp was the last thing I did
Here is the kb I followed
https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/Unable_to_access_cifs_share_when_RC4_encryption_is_disabled_on_the_Domain_Controller
XInsomniacX06@reddit
A lot of those by default when joined to the domain create a key tab with DES,3DES,RC4 and that’s it. Other times it includes AES but doesn’t negotiate it if the AD object doesn’t have it configured in supported encryption types, or if you haven’t fully disabled RC4 across the environment.
Some of the storage units you need support to do it for you cause they are the only ones with root. Fun times!
tmacmd@reddit
It’s a lot better on newer versions of ONTAP. There was a cifs security option to allow particular encryptions (like rc4/aes/etc) which deprecates the cifs security option for is-aes-encryption-enabled
anonpf@reddit
Run get-dumbserverconfiguration
If smb2 is set to false, you can try
Set-smbserverconfiguration -enablesmb2protocol $true
If smb2 is too high, the set smb1 to true
Set-smbserverconfiguration -enablesmb2protocol $true
faceofthecrowd@reddit
1st